Are you are wondering where all those “we collect cookies” notifications come from this article is for you. The GDPR has the answer to that question and also why websites ask you to accept them. So what is GDPR?
Taking full effect in May 2018, the General Data Protection Regulation (GDPR) is a legal framework that lays rules for the gathering and processing of personal data of European citizens. It applies to all websites that attract European visitors, regardless of the location of the websites or whether they sell goods or services to EU residents.
Data Protection and Accountability
Organizations that collect, manage, and store personal information should strictly adhere to the six principles of the GDPR.
The GDPR guidelines promote ethical practices intended for data protection and accountability, which seek to empower both customers and businesses in this digital age.
The new framework is a revamp of the Data Protection Directive (DPD), enacted in 1995, so most companies already have policies in place. However, it is essential to understand the new regulations to ensure full compliance with the changes. To do so, let us tackle each principle of the GDPR.
Here are our five GDPR principles businesses need to adhere to for compliance and best practices.
Being Lawful, Fair, and Transparent
Lawful means the organization should have legitimate grounds for collecting data from an individual. Fairness denotes that the process should not, in any way, harm or have an unpleasant effect on the person.
Transparency combines the first two elements but also strongly stipulates that the individual must be informed about the data collection and given a choice to agree to it.
The company should explain why it needs to process the person’s personal information, how it will process the data, who are responsible for protecting it, and with whom they will share it. Furthermore, any communication with the person concerned should be easy to access and understand, as well as written in clear and straightforward language.
Only Legitimate Purposes
The second principle is technically an expansion of the first. It postulates that the data collectors can only use the information in ways they disclosed to the subject or for the specific reason they described. It is imperative that the individual knows and understands the objective of the company for gathering the information.
If the company would like to use the data for another purpose, it should get another consent from the concerned individual. An example of this is companies that collect email addresses from customers for sending updates, or marketing communications can only use the email addresses for such purposes. They cannot, under any circumstances, sell their customers’ emails to third parties or use them for setting up user accounts without permission from the owner.
Minimize Data Collected
The third principle is the GDPR’s way of telling organizations to stop gathering data they don’t need.
Companies should only obtain information that is necessary for their business to run. The limitation serves as a safety net against the over-collection of information.
As the third principle succinctly states, the data collected should be adequate, relevant, and limited to what is necessary. Simply put, a company does not need to know its customer’s ethnic background, religious beliefs, or birth date to process an online purchase for shoes.
In the DPD, personal data only covers usual identifiable information such as name, address, phone number, account number, and identification number.
GDPR broadened the scope to encompass a wide variety of online identification markers such as email and IP addresses, biometric information, and facial images. One other significant improvement is that in the DPD, businesses were not obliged to report a data breach. However, the GDRP requires that controllers report any incident to the proper authorities as soon as possible.
Current and Accurate
The company should only keep data that is correct and up-to-date. If the information is outdated or inaccurate, then the company should delete or rectify it at the soonest time possible. For instance, an invalid email address has no place in the system. Besides, who wants a database full of undeliverable emails.
If the company has an alternative way of getting in touch with the person, it should contact the individual for updated information. However, this only applies if the company has a long-term relationship with the customer and uses their email address regularly to send marketing leads, for instance.
While companies are fully responsible for the accuracy of the data they keep, they are not accountable for any inaccurate information individuals might have intentionally supplied. Even so, companies must have in place a system that allows them to facilitate corrections quickly and efficiently.
More importantly, companies should carefully sift through the information they collected and only enter those that are validated. To deter individuals from providing inaccurate data, companies can include in their terms and conditions a clause that explains the importance of giving the right information. It is also vital that they keep a record of the data sources.
The fourth principle also covers the Right to Rectification, wherein individuals can freely request organizations to remove or alter any incomplete, irrelevant, or misleading information about them.
Companies should not retain any data they no longer need. Any personal information should be deleted or destroyed after it has served its purpose. Another way to get rid of data is to anonymise it or alter it in a way that it no longer links to any individual.
The tricky part is, the GDPR does not specify how long data should stay in the system, only that it’s limited to a strict minimum which is one of the differences to data protection that need to be taken into account.
If companies decide to keep data, they must be able to justify how long they intend to retain it and the reason for doing so. Data retention is necessary for companies that feature consumer protection or warranties. For instance, companies that offer a 10-year warranty are obliged to store customers’ information until such time a claim arises or the term expires. The point is, organizations should not save any personal data longer than necessary.
Confidentiality and Integrity
Organizations should have reliable security measures to protect personal data from illegal processing, damage, or loss. GDPR does not explicitly mention which specific methods organizations should use.
However, it does require the pseudonymisation and encryption of personal data whenever possible. It also recommends that organizations should be able to restore access and availability of information that’s accidentally lost due to technical issues.
Furthermore, the companies should put in place a system that regularly tests and evaluates the performance of their data protection measures.
In the case of a data breach, the GDPR mandates under Article 33 that the organizations report the incident to the proper supervisory authority not later than 72 hours after its discovery.